Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package go1.25 for openSUSE:Factory checked in at 2026-05-08 16:46:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/go1.25 (Old) and /work/SRC/openSUSE:Factory/.go1.25.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "go1.25" Fri May 8 16:46:41 2026 rev:17 rq:1351540 version:1.25.10 Changes: -------- --- /work/SRC/openSUSE:Factory/go1.25/go1.25.changes 2026-04-09 16:22:16.684427364 +0200 +++ /work/SRC/openSUSE:Factory/.go1.25.new.1966/go1.25.changes 2026-05-08 16:47:12.897774548 +0200 @@ -1,0 +2,36 @@ +Thu May 7 16:14:10 UTC 2026 - Jeff Kowalczyk <[email protected]> + +- go1.25.10 (released 2026-05-07) includes security fixes to the go + command, the pack tool, and the html/template, net, net/http, + net/http/httputil, net/mail, and syscall packages, as well as bug + fixes to the go command, the compiler, the linker, the runtime, + and the crypto/fips140, go/types, and os packages. + Refs boo#1244485 go1.25 release tracking + CVE-2026-33811 CVE-2026-33814 CVE-2026-39817 CVE-2026-39819 CVE-2026-39820 CVE-2026-39823 CVE-2026-39825 CVE-2026-39826 CVE-2026-39836 CVE-2026-42499 CVE-2026-42501 + * go#78812 go#78803 boo#1264508 security: fix CVE-2026-33811 net: crash when handling long CNAME response + * go#78477 go#78476 boo#1264506 security: fix CVE-2026-33814 net/http: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE + * go#78790 go#78778 boo#1264505 security: fix CVE-2026-39817 cmd/go: "go tool pack" does not sanitize output paths + * go#78587 go#78584 boo#1264504 security: fix CVE-2026-39819 cmd/go: "go bug" follows symlinks in predictable temporary filenames + * go#78567 go#78566 boo#1264503 security: fix CVE-2026-39820 net/mail: quadratic string concatentation in consumeComment + * go#79031 go#78913 boo#1264509 security: fix CVE-2026-39823 html/template: bypass of meta content URL escaping causes XSS + * go#78985 go#78948 boo#1264500 security: fix CVE-2026-39825 net/http/httputil: ReverseProxy forwards queries with more than urlmaxqueryparams parameters + * go#79024 go#78981 boo#1264507 security: fix CVE-2026-39826 html/template: escaper bypass leads to XSS + * go#79028 go#79006 boo#1264501 security: fix CVE-2026-39836 net/http/httputil: ReverseProxy forwards queries with more than urlmaxqueryparams parameters + * go#79003 go#78987 boo#1264502 security: fix CVE-2026-42499 net/mail: quadratic string concatenation in consumePhrase + * go#79072 go#79070 boo#1264499 security: fix CVE-2026-42501 cmd/go: malicious module proxy can bypass checksum database + * go#77298 cmd/compile: go1.22+ cmd with go.mod 1.21 generates per-loop variable when using line directive + * go#78374 cmd/compile: incorrect loop trip count + * go#78405 cmd/link: stop requiring gold on arm64 when GNU ld is fixed + * go#78411 cmd/go: test -cover can't find covdata tool with switched toolchain and empty tests + * go#78510 cmd/cgo/internal/testsanitizers: TestLSAN/lsan1,2, and 3 always fail on linux with glibc 2.42 + * go#78581 cmd/compile: panic on invalid generic append with type parameter spread + * go#78582 cmd/go: test cache uses stale coverage data with -coverpkg + * go#78675 cmd/compile: ice expecting positive value on loop iterating by math.MinInt64 (regression) + * go#78866 os: RemoveAll can leak internal errSymlink as a user-visible PathError on Unix + * go#78983 lib/fips140: update certified and inprocess aliases + * go#79020 crypto/fips140: missing package comment +- Packaging improvements: + * Drop dont-force-gold-on-arm64.patch as upstream no longer forces gold on arm64 + Fixes boo#1170826 + +------------------------------------------------------------------- Old: ---- dont-force-gold-on-arm64.patch go1.25.9.src.tar.gz New: ---- go1.25.10.src.tar.gz ----------(Old B)---------- Old:- Packaging improvements: * Drop dont-force-gold-on-arm64.patch as upstream no longer forces gold on arm64 Fixes boo#1170826 ----------(Old E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ go1.25.spec ++++++ --- /var/tmp/diff_new_pack.pwxx5l/_old 2026-05-08 16:47:13.749809845 +0200 +++ /var/tmp/diff_new_pack.pwxx5l/_new 2026-05-08 16:47:13.753810011 +0200 @@ -107,7 +107,7 @@ %endif Name: go1.25 -Version: 1.25.9 +Version: 1.25.10 Release: 0 Summary: A compiled, garbage-collected, concurrent programming language License: BSD-3-Clause @@ -121,8 +121,6 @@ # Preferred form when all arches share llvm race version # Source100: llvm-tsan_commit.tar.xz Source100: llvm-51bfeff0e4b0757ff773da6882f4d538996c9b04.tar.xz -# PATCH-FIX-OPENSUSE: https://go-review.googlesource.com/c/go/+/391115 -Patch7: dont-force-gold-on-arm64.patch Patch9: go-fixseccomp.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build # boostrap @@ -216,7 +214,6 @@ # go %setup -q -n go -%patch -P 7 -p1 # SLE-12 only: Add declarations to Cgo seccomp_linux.go # for new syscalls seccomp and getrandom which are not present ++++++ go1.25.9.src.tar.gz -> go1.25.10.src.tar.gz ++++++ /work/SRC/openSUSE:Factory/go1.25/go1.25.9.src.tar.gz /work/SRC/openSUSE:Factory/.go1.25.new.1966/go1.25.10.src.tar.gz differ: char 17, line 1
